Tuesday, April 07, 2009

Industry Group Calls For Public-Private Cyber Security Standards

The federal government should establish minimum standards of cybersecurity for both public and private organizations, rather than focus primarily on requirements for protecting government computer networks, according to recommendations from an association of intelligence and security professionals.

A comprehensive cybersecurity plan, coordinated by the White House, should include a common set of standards defining the level of cyber defense that private sector organizations use for their computer systems and networks based upon the sensitivity of information, and providing guidelines for assessing cyber preparedness, concluded a report [.pdf] from the Arlington, Va.-based Intelligence and National Security Alliance. INSA formed a task force with representatives from 26 companies to provide recommendations for a national cybersecurity plan to Melissa Hathaway, senior director for cyberspace for the administration's national security and homeland security councils. Hathaway is nearing the end of a 60-day review of federal cybersecurity initiatives the Obama administration ordered.

Private sector organizations typically oversee their own network security, or follow industry standards for protecting information. Common standards for the public and private sectors would ensure a base level of security across all industries, said Frank Blanco, INSA's executive vice president. He added that the federal government could encourage compliance by soliciting input from industry on effective minimum standards.

"There's always the danger" that government recommendations will face pushback from industry, Blanco said. "But if industry and government are in a room together, talking about what the minimum standards should include and what that would mean for everyone involved, industry would be more receptive."